W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CSP: set of report URIs

From: Ian Melven <imelven@mozilla.com>
Date: Tue, 19 Mar 2013 09:01:23 -0700 (PDT)
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, Daniel Veditz <dveditz@mozilla.com>
Message-ID: <1681868730.3865632.1363708883454.JavaMail.root@mozilla.com>


----- Original Message -----
From: "Anne van Kesteren" <annevk@annevk.nl>
To: "Daniel Veditz" <dveditz@mozilla.com>
Cc: "WebAppSec WG" <public-webappsec@w3.org>
Sent: Tuesday, March 19, 2013 8:28:12 AM
Subject: Re: CSP: set of report URIs

> I do agree with Adam that we (Mozilla) should not have done that.
> Effective TLDs are no good and using effective TLDs here also opens up
> things further than what <form> allows. Either we should be okay with
> JSON payloads going cross-origin or we should keep the same-origin
> restriction, or alternatively, we should make it a (one-way) CORS
> request.

Just a note that another option that has been discussed due to privacy
concerns around the violation report payload is to allow sending the reports
cross origin, but providing less detail than if they were going same origin.

The same origin restriction as Dan said has been complained about by sites implementing
CSP, particularly since only Gecko and not Webkit imposes it.

CORS is an interesting idea, but I think one of the cases that people are concerned
about is an attacker being able to use an injected CSP (particularly if <meta> CSP
ends up widely implemented) to send violation data to their own server, which will obviously
grant permission via CORS (same concern addressed via not allowing redirects on report POSTs
IMO)

thanks,
ian
Received on Tuesday, 19 March 2013 16:01:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC